Dependency org.postgresql:postgresql, leading to CVE problem
CVEDetect opened this issue · 1 comments
CVEDetect commented
Hi, In processor,there is a dependency **org.postgresql:postgresql:42.2.5.jre6
** that calls the risk method.
The scope of this CVE affected version is [42.1.0,42.3.3)
After further analysis, in this project, the main Api called is org.postgresql.Driver: connect(java.lang.String,java.util.Properties)Ljava.sql.Connection;
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 6
com.dslplatform.json.AnnotationCompiler: buildExternalJson(java.lang.String,com.dslplatform.json.AnnotationCompiler$CompileOptions,com.dslplatform.json.processor.LogLevel,javax.annotation.processing.Messager)Ljava.lang.String; /.m2/repository/org/postgresql/postgresql/42.2.5.jre6/postgresql-42.2.5.jre6.jar
com.dslplatform.compiler.client.Main: processContext(com.dslplatform.compiler.client.Context,java.util.List)Z /.m2/repository/org/postgresql/postgresql/42.2.5.jre6/postgresql-42.2.5.jre6.jar
com.dslplatform.compiler.client.parameters.OracleConnection: check(com.dslplatform.compiler.client.Context)Z /.m2/repository/org/postgresql/postgresql/42.2.5.jre6/postgresql-42.2.5.jre6.jar
com.dslplatform.compiler.client.parameters.OracleConnection: testConnection(com.dslplatform.compiler.client.Context)Z /.m2/repository/org/postgresql/postgresql/42.2.5.jre6/postgresql-42.2.5.jre6.jar
com.dslplatform.compiler.client.parameters.OracleConnection: getConnection(com.dslplatform.compiler.client.Context,java.lang.String)Ljava.sql.Connection; /.m2/repository/org/postgresql/postgresql/42.2.5.jre6/postgresql-42.2.5.jre6.jar
org.postgresql.Driver: connect(java.lang.String,java.util.Properties)Ljava.sql.Connection;
Dependency tree--
[INFO] com.dslplatform:dsl-json-processor:jar:1.10.0
[INFO] +- com.dslplatform:dsl-clc:jar:1.9.10:compile
[INFO] | +- org.postgresql:postgresql:jar:42.2.5.jre6:compile
[INFO] | \- org.fusesource.jansi:jansi:jar:1.17.1:compile
[INFO] +- com.dslplatform:dsl-json:jar:1.10.0:compile
[INFO] +- com.dslplatform:dsl-json-java8:jar:1.10.0:test
[INFO] +- junit:junit:jar:4.13.2:test
[INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] +- org.assertj:assertj-core:jar:3.10.0:test
[INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.6.3:test
[INFO] +- com.google.code.findbugs:jsr305:jar:2.0.1:test
[INFO] +- com.google.code.gson:gson:jar:2.5:test
[INFO] \- javax.validation:validation-api:jar:2.0.1.Final:test
Suggested solutions:
Update dependency version
Thank you very much.
zapov commented
This wasnt relevant before and now this project does not exist anymore